What is required for AI Act, GDPR compliance?

Map AI system to both AI Act and GDPR obligations; Ensure human oversight under AI Act Article 14; Comply with GDPR Article 22 right not to be subject to solely automated decisions; Document legal basis under both regulations; Conduct DPIA (GDPR Article 35) and FRIA (AI Act Article 27) where applicable

AI Act, GDPR

AI Act vs GDPR for Automated Decision-Making: How Both Regulations Apply to Your AI System

Name: EU Regulatory Enforcement Corpus
Creator: Fontvera
Published: 2026-04-10
License: https://fontvera.eu/terms
Keywords: AI Act, GDPR, enforcement, compliance

Interaction between AI Act Articles 14 and 22 and GDPR Article 22. For DPOs and compliance teams managing dual-regulation obligations.

Export PDF (Pro)

At a glance

Who this applies to

Organizations deploying AI systems that make or support decisions affecting natural persons, where both AI Act and GDPR apply.

Deadline

August 2, 2026 for AI Act obligations. GDPR Article 22 already active.

What you must have

Map AI system to both AI Act and GDPR obligations
Ensure human oversight under AI Act Article 14
Comply with GDPR Article 22 right not to be subject to solely automated decisions
Document legal basis under both regulations
Conduct DPIA (GDPR Article 35) and FRIA (AI Act Article 27) where applicable

days until AI Act transparency obligations deadline

2026-08-02

Not sure if your AI system is high-risk? Take the 5-minute diagnostic

Intelligence briefing

Who this applies to

This obligation applies to providers and deployers of high-risk AI systems (as defined in Article 6(1) AI Act) that involve automated decision-making, as well as AI systems intended to interact with natural persons (per Article 52(1) AI Act). Public authorities and private entities using AI for employment, credit scoring, or public benefits determinations are explicitly in scope.

What is required

Transparency for high-risk AI systems: Provide clear, concise, and intelligible information to affected individuals about the AI system’s purpose, intended use, and decision-making logic, as required by Article 13(1) AI Act (co-cited with GDPR Art. 13).
Right to explanation for automated decisions: Ensure individuals can obtain an explanation of the decision made by a high-risk AI system, including the main elements considered and the logic involved (Article 14(1) AI Act).
Human oversight mechanisms: Implement procedures to enable human review of automated decisions, as mandated by Article 14(4) AI Act, including the ability to contest or request reconsideration.
Technical documentation for transparency: Maintain and provide, upon request, documentation detailing the system’s training data, performance metrics, and limitations (Article 11(1)(b) AI Act).
Real-time disclosure for interactive AI: For AI systems interacting with individuals (e.g., chatbots, deepfakes), disclose the artificial nature of the interaction before or immediately upon engagement (Article 52(1) AI Act).

Key deadlines

The primary deadline for this obligation is August 2, 2026 (transparency obligations under Articles 50 and 52 AI Act).

Enforcement patterns

AI Act enforcement begins August 2, 2026. No precedent currently exists. This page will be updated as enforcement cases emerge.

Cross-border considerations

Implementation guidance and early enforcement focus vary by member state, with Italy (Garante), Austria (DSB), and Belgium (APD/GBA) showing higher citation rates for Article 14 AI Act (co-cited with GDPR Art. 22). No jurisdiction-specific deviations from the AI Act’s text have been documented in enforcement actions to date.

Cross-reference intelligence

No AI Act article citations in corpus yet. AI Act entered into force August 2024. Article 50 transparency obligations take effect 2 August 2026; Annex III high-risk obligations are expected 2 December 2027 (pending Digital Omnibus formal adoption). This section will populate as citations accumulate.

Analogous GDPR articles

GDPR article citations that relate to this AI Act topic and may inform enforcement patterns.

Article	Citations	Top Countries	Most Co-Cited
GDPR Art. 14	309	IT (61), BE (47), ES (39)	GDPR Art. 13, GDPR Art. 12, GDPR Art. 6(1)
GDPR Art. 22	51	IT (12), ES (8), AT (6)	GDPR Art. 13, GDPR Art. 15, GDPR Art. 25

Regulatory framework

AI Act: Implementation timeline — key dates for compliance

EU · ai_office · 2026-03-24 · aio-implementation-timeline

AI Act: Implementation timeline — key dates for compliance AI Act implementati

AI Act: Requirements for high-risk AI systems (Articles 8-15)

EU · ai_office · 2026-03-24 · aio-high-risk-requirements

AI Act: Requirements for high-risk AI systems (Articles 8-15) Requirements High-ris

AI Act: Transparency obligations for AI systems (Articles 50, 52)

EU · ai_office · 2026-03-24 · aio-transparency

AI Act: Transparency obligations for AI systems (Articles 50, 52) The AI Act imp

EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence

EU · ai_office · 2026-03-24 · aio-ai-act-overview

EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence Act The EU AI Act (Regulation 2024/1689) is the worl

Cross-regulatory overlap

EDPB Guidelines on the calculation of administrative fines under the GDPR

EU · edpb · 2026-03-18 · 04/2022

EDPB Guidelines on the calculation of administrative fines under the GDPR EDPB Guidelines on the calculation of administrative fines under the GDPR Do

EDPB Binding Decision 01/2023 on the dispute submitted by the Irish SA on Meta Platforms Ireland Lim

EU · edpb · 2026-03-18 · Binding Decision 01/2023

EDPB Binding Decision 01/2023 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited (Instagram) EDPB Binding Decision 01/2023 on

EDPB Binding Decision 02/2023 on the dispute submitted by the Irish SA on Meta Platforms Ireland Lim

EU · edpb · 2026-03-18 · Binding Decision 02/2023

EDPB Binding Decision 02/2023 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited (Facebook) EDPB Binding Decision 02/2023 on t

EDPB Binding Decision 04/2022 on the dispute submitted by the Irish SA on WhatsApp Ireland Limited

EU · edpb · 2026-03-18 · Binding Decision 04/2022

EDPB Binding Decision 04/2022 on the dispute submitted by the Irish SA on WhatsApp Ireland Limited EDPB Binding Decision 04/2022 on the dispute submit

EDPB: Automated decision & profiling

EU · edpb · 2026-03-21 · edpb-scraped-automated-decision-profiling_en

EDPB: Automated decision & profiling EDPB: Automated decision & profiling Automated decision & profiling

IMY: Klarna Bank AB — sanktionsavgift 7,5 miljoner SEK

SE · imy · 2026-03-21 · imy-sanktion-klarna-2022

IMY: Klarna Bank AB — sanktionsavgift 7,5 miljoner SEK IMY: Klarna Bank AB — sanktionsavgift 7,5 miljoner SEK K

Sources (13)

AI Act: Implementation timeline — key dates for compliance (ai_office, EU)
AI Act: Requirements for high-risk AI systems (Articles 8-15) (ai_office, EU)
AI Act: Transparency obligations for AI systems (Articles 50, 52) (ai_office, EU)
EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence (ai_office, EU)
IMY: Vägledning om AI och dataskydd (imy, SE)
EDPB Guidelines on the calculation of administrative fines under the GDPR (edpb, EU)
EDPB Binding Decision 01/2023 on the dispute submitted by the Irish SA on Meta P (edpb, EU)
EDPB Binding Decision 02/2023 on the dispute submitted by the Irish SA on Meta P (edpb, EU)
EDPB Binding Decision 04/2022 on the dispute submitted by the Irish SA on WhatsA (edpb, EU)
EDPB: Automated decision & profiling (edpb, EU)
IMY: Klarna Bank AB — sanktionsavgift 7,5 miljoner SEK (imy, SE)
IMY: Google — sanktionsavgift 50 miljoner SEK för brister i rätten att bli glömd (imy, SE)
IMY: Spotify — sanktionsavgift 58 miljoner SEK för brister i registrerades rätti (imy, SE)

Get the complete AI Act, GDPR compliance checklist as a PDF

Mapped to enforcement precedents and cross-referenced against 1.2 million regulatory citations. Free.

We'll email you the PDF. No spam. Unsubscribe anytime.

Get unlimited briefings on Fontvera Pro — or browse all intelligence briefings